CIT 480 Securing Computer Systems TCPIP Security Topics

  • Slides: 32
Download presentation
CIT 480: Securing Computer Systems TCP/IP Security

CIT 480: Securing Computer Systems TCP/IP Security

Topics 1. 2. 3. 4. 5. 6. Internet Protocol (IP) IP Spoofing and Other

Topics 1. 2. 3. 4. 5. 6. Internet Protocol (IP) IP Spoofing and Other Vulnerabilities ICMP Transmission Control Protocol (TCP) TCP Session Hijacking UDP

Internet Protocol (IP) Connectionless – Each packet is transported independently from other packets Unreliable

Internet Protocol (IP) Connectionless – Each packet is transported independently from other packets Unreliable – Delivery on a best effort basis – No acknowledgments Data link frame IP packet TCP or UDP packet – Packets may be lost, reordered, corrupted, or duplicated IP packets – Encapsulate TCP and UDP packets – Encapsulated into link-layer frames

IP Addresses 32 -bit integers that identify machine on net Dotted decimal notation: ii.

IP Addresses 32 -bit integers that identify machine on net Dotted decimal notation: ii. jj. kk. ll DNS translates names to IP addresses 172 10101100 . 16 00010000 . 254 11111110 . 1 00000001 1 byte 32 bits = 4 bytes IPv 6 addresses are 128 -bit integers written like 2001: 0 db 8: 0000: ff 00: 0042: 8329

Network Address Translation Uses public IP addr to represent private IP. – Translates source

Network Address Translation Uses public IP addr to represent private IP. – Translates source IP in outgoing packets. – Translates dest IP in incoming packets. – Router keeps table of translations.

IP Address Geolocation • ISPs get blocks of IP addresses from ARIN. • ARIN

IP Address Geolocation • ISPs get blocks of IP addresses from ARIN. • ARIN database records where IP addresses are. • Application layer and time data may help reveal details. Check http: //www. findmyip. org/ for your location.

IP Header

IP Header

IP Routing A router bridges two or more networks – Operates at the network

IP Routing A router bridges two or more networks – Operates at the network layer. – Maintains tables to forward packets to the appropriate network. – Forwarding decisions based solely on the destination address. Routing table – Maps ranges of IP addresses to LANs or other gateway routers.

IP Routing Same IP address at each hop used to route data packet. New

IP Routing Same IP address at each hop used to route data packet. New MAC address at each hop

IP Vulnerabilities 1. Unencrypted transmission – Eavesdropping possible at any intermediate host during routing.

IP Vulnerabilities 1. Unencrypted transmission – Eavesdropping possible at any intermediate host during routing. 2. No source authentication – Sender can spoof source address, making it difficult to trace packet back to attacker. 3. No integrity checking – Entire packet, header and payload, can be modified while en route to destination, enabling content forgeries, redirections, and man-in-the-middle attacks. 4. No bandwidth constraints – Large number of packets can be sent to Do. S target.

IP Spoofing is an attempt by an intruder to send packets from one IP

IP Spoofing is an attempt by an intruder to send packets from one IP address that appear to originate at another. • If victim trusts spoofed IP, then attacker trusted. • Tracking down attack leads to spoofed IP. Two basic forms of IP Spoofing • Blind Spoofing can be used from any source. • Non-Blind Spoofing must be on same subnet.

Blind Spoofing Attacker cannot see response packets, but – Some attacks, like Do. S

Blind Spoofing Attacker cannot see response packets, but – Some attacks, like Do. S do not want to receive response packets, and – Some responses can be guessed sufficiently accurately to carry on conversation, such as TCP hijacking attacks.

Network Tests with ICMP Internet Control Message Protocol (ICMP) – Used for network testing

Network Tests with ICMP Internet Control Message Protocol (ICMP) – Used for network testing and debugging. – Simple messages encapsulated in single IP packets. – Considered a network layer protocol. ICMP-based Network Testing Tools – ping: sends echo request messages and provides statistics on roundtrip times and packet loss. – traceroute: sends series of ICMP packets with increasing TTL value to discover routes.

ICMP Do. S Attacks Ping of death – ICMP specifies messages must fit a

ICMP Do. S Attacks Ping of death – ICMP specifies messages must fit a single IP packet (64 KB). – Send a ping packet that exceeds maximum size using IP fragmentation. – Reassembled packet caused several operating systems to crash due to a buffer overflow. Smurf – Ping a broadcast address using a spoofed source address. Large number of responses sent to target whose address was spoofed.

Smurf Attack Amplifying Network echo response echo request echo response Attacker echo response Victim

Smurf Attack Amplifying Network echo response echo request echo response Attacker echo response Victim

TCP: Transmission Control Protocol Connection-oriented Must establish connection before sending data. 3 -way handshake.

TCP: Transmission Control Protocol Connection-oriented Must establish connection before sending data. 3 -way handshake. Reliable byte-stream TCP decides how to divide stream into packets. ACK, timeout, retransmit, reordering. 16 -bit source and destination ports. FTP(21), HTTP(80), POP(110), SMTP(25) Slide #17

TCP Reliability 1. Breaks data into best-sized chunks. 2. After sending segment, maintains timer;

TCP Reliability 1. Breaks data into best-sized chunks. 2. After sending segment, maintains timer; if no ACK within time limit, resends segment. 3. Sends ACK on receipt of packets. 4. Discards pkts on bad checkum of header and data. 5. Receiver resequences TCP segments, based on sequence numbers, allowing data to be reassembled correctly no matter what order. 6. Receiver discards duplicate segments. 7. Flow control: only sends as much data as receiver can process. Slide #18

TCP Header Slide #19

TCP Header Slide #19

TCP Connection Establishment TCP 3 -Way Handshake Slide #20

TCP Connection Establishment TCP 3 -Way Handshake Slide #20

SYN Floods Create many half-open connections to target – Send SYN packet – Ignore

SYN Floods Create many half-open connections to target – Send SYN packet – Ignore SYN+ACK response • (May spoof invalid source IP address for each SYN) Target connection table fills up, resulting in Do. S – 3 minute timeout for final ACK – all new TCP connections refused Defenses – Micro-connections (allocate few resources til see ACK) – SYN cookies store state in TCP ISN, not on server

TCP Connection Termination

TCP Connection Termination

TCP Session Killing RST – Need one valid TCP sequence number. – Send RST

TCP Session Killing RST – Need one valid TCP sequence number. – Send RST segment with spoofed IP address and valid sequence number. – May need to send multiple RST’s in case host receives TCP segment with your chosen sequence number before your RST segment. FIN – Need valid TCP sequence + ACK numbers. – Send FIN+ACK segment with spoofed IP address to terminate session. – Receive FIN packet in response, verifying kill if successful.

TCP Session Hijacking A TCP session hijacking attack is when an attacker takes control

TCP Session Hijacking A TCP session hijacking attack is when an attacker takes control of an existing TCP session. The attacker must be able to – Spoof IP address of one side of connection. – Predict TCP sequence numbers. Gives threat access to authenticated sessions. Defenses: – Random initial TCP sequence numbers. – Use encrypted protocols like SSH, so attacker cannot interact with system due to inability to send properly encrypted traffic.

TCP Session Hijacking Steps 1. Guess TCP sequence numbers used in current session between

TCP Session Hijacking Steps 1. Guess TCP sequence numbers used in current session between two hosts. 2. Create desynchronized state so neither side of connection can talk to the other. 3. Send packet with correct SN + ACK with spoofed client IP address to server, containing attack.

ACK Storm • Noisy side effect of TCP session hijacking. • Both client and

ACK Storm • Noisy side effect of TCP session hijacking. • Both client and server ACK unacceptable packets with expected sequence number. • Each ACK is also unacceptable and generates another ACK response. • If network drops packet, no response made. • ACK storms create network congestion, leading to many dropped packets.

Covert Channels in TCP/IP Covert channels enable communication using techniques not meant for information

Covert Channels in TCP/IP Covert channels enable communication using techniques not meant for information exchange. Possible techniques include: – – Timing of packets (temporal channel). Size of packets. Unused header fields (header bit modulation). Hiding data in packet body. Covert channels may be able to be detected by – Too many packets of certain protocols (ICMP, DNS) – Too large packets from certain protocols – Multiple response packets for protocols like ICMP, DNS

Port Knocking Port knocking is a method of opening ports by making connections to

Port Knocking Port knocking is a method of opening ports by making connections to a set of unused ports in a specified sequence. – Fairly secure against brute force attacks since there are 65536 k combinations, where k is the number of ports knocked – Susceptible to replay attacks. If a port knock is sniffed, then attacker can replay the knock. Used to hide ports from network scans. Can be used by defenders and attackers.

User Datagram Protocol (UDP) Stateless, unreliable layer 4 protocol. – Runs on top of

User Datagram Protocol (UDP) Stateless, unreliable layer 4 protocol. – Runs on top of IP. – Trades reliability for speed. Applications – Streaming audio/video. – TFTP (builds simple state on top of UDP. ) – DNS.

UDP Header Slide #30

UDP Header Slide #30

Key Points 1. IP addresses seen by recipient unlike MAC – NAT hides many

Key Points 1. IP addresses seen by recipient unlike MAC – NAT hides many IP addresses behind one. 2. IP spoofing – Blind: do not see responses. – Non-blind: use sniffer to see responses. 3. Technical Do. S: ping of death, smurf, SYN flood 4. TCP session hijacking seizes authenticated session – Guess TCP sequence numbers based on ISN. – Desynchronize existing TCP session. – Threat resynchronizes with server, seizing control. 5. Cannot hijack encrypted sessions like ssh.

References 1. Carna Botnet, Internet Census 2012, http: //internetcensus 2012. bitbucket. org/p aper. html,

References 1. Carna Botnet, Internet Census 2012, http: //internetcensus 2012. bitbucket. org/p aper. html, 2012. 2. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. 3. Richard Stevens, TCP/IP Illustrated, Vol. 1, Addison-Wesley, 1994.